ed6408bf498f7605be9705172a2d9fcca7c90200fdf838f3d0611e259fa63997

Analysis

max time kernel
151s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_53c449c5307d19634656a1f4b52cbdd7_goldeneye.exe
Size

408KB
MD5

53c449c5307d19634656a1f4b52cbdd7
SHA1

b963f4e3218a62eb09a08824b9f1ee4f27308627
SHA256

ed6408bf498f7605be9705172a2d9fcca7c90200fdf838f3d0611e259fa63997
SHA512

19bc6dd188ce56524c10639a6725084692222fcea28d600f60fae9f7cafc2b4546d1e751f81bcadcacad276ac26f2b07a88f8149fdc15d90c42d63468951270f
SSDEEP

3072:CEGh0okl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGCldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012265-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122ca-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012265-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000b1f5-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000b1f5-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000b1f5-48.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000b1f5-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000b1f5-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000004ed7-82.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77E12C69-2F11-4624-86D4-DF53F0925A17}\stubpath = "C:\\Windows\\{77E12C69-2F11-4624-86D4-DF53F0925A17}.exe"	{C399AC1B-F904-4980-AF0C-45EF2DD46F7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F57B0368-1A5E-4f57-A76B-898D96DE887F}	{77E12C69-2F11-4624-86D4-DF53F0925A17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9CC04F8-204E-4f74-A4B3-320149CB0658}\stubpath = "C:\\Windows\\{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe"	2024-02-19_53c449c5307d19634656a1f4b52cbdd7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6680AAE2-ED10-43c6-B322-49916FC8EFE9}\stubpath = "C:\\Windows\\{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe"	{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}\stubpath = "C:\\Windows\\{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe"	{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C399AC1B-F904-4980-AF0C-45EF2DD46F7F}	{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C399AC1B-F904-4980-AF0C-45EF2DD46F7F}\stubpath = "C:\\Windows\\{C399AC1B-F904-4980-AF0C-45EF2DD46F7F}.exe"	{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77E12C69-2F11-4624-86D4-DF53F0925A17}	{C399AC1B-F904-4980-AF0C-45EF2DD46F7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F57B0368-1A5E-4f57-A76B-898D96DE887F}\stubpath = "C:\\Windows\\{F57B0368-1A5E-4f57-A76B-898D96DE887F}.exe"	{77E12C69-2F11-4624-86D4-DF53F0925A17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8F22388-8054-4c2f-96E3-286474D34A97}	{F57B0368-1A5E-4f57-A76B-898D96DE887F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08A4B288-577C-4d1a-A17B-6AE0B0020F36}	{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8776F18C-EBF8-493d-9FE7-FF89B993B340}\stubpath = "C:\\Windows\\{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe"	{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}	{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B8BA0FC-C6A4-469e-A64D-4BA8D32F76F5}	{C8F22388-8054-4c2f-96E3-286474D34A97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B8BA0FC-C6A4-469e-A64D-4BA8D32F76F5}\stubpath = "C:\\Windows\\{4B8BA0FC-C6A4-469e-A64D-4BA8D32F76F5}.exe"	{C8F22388-8054-4c2f-96E3-286474D34A97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08A4B288-577C-4d1a-A17B-6AE0B0020F36}\stubpath = "C:\\Windows\\{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe"	{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6680AAE2-ED10-43c6-B322-49916FC8EFE9}	{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8776F18C-EBF8-493d-9FE7-FF89B993B340}	{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}	{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8F22388-8054-4c2f-96E3-286474D34A97}\stubpath = "C:\\Windows\\{C8F22388-8054-4c2f-96E3-286474D34A97}.exe"	{F57B0368-1A5E-4f57-A76B-898D96DE887F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9CC04F8-204E-4f74-A4B3-320149CB0658}	2024-02-19_53c449c5307d19634656a1f4b52cbdd7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}\stubpath = "C:\\Windows\\{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe"	{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}	{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}\stubpath = "C:\\Windows\\{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe"	{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe

Deletes itself 1 IoCs

pid	Process
2368	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2056	{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe
2724	{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe
2600	{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe
1376	{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe
2956	{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe
2232	{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe
2624	{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe
684	{C399AC1B-F904-4980-AF0C-45EF2DD46F7F}.exe
2028	{77E12C69-2F11-4624-86D4-DF53F0925A17}.exe
2168	{F57B0368-1A5E-4f57-A76B-898D96DE887F}.exe
1060	{C8F22388-8054-4c2f-96E3-286474D34A97}.exe
344	{4B8BA0FC-C6A4-469e-A64D-4BA8D32F76F5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe	{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe
File created	C:\Windows\{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe	{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe
File created	C:\Windows\{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe	{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe
File created	C:\Windows\{C8F22388-8054-4c2f-96E3-286474D34A97}.exe	{F57B0368-1A5E-4f57-A76B-898D96DE887F}.exe
File created	C:\Windows\{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe	2024-02-19_53c449c5307d19634656a1f4b52cbdd7_goldeneye.exe
File created	C:\Windows\{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe	{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe
File created	C:\Windows\{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe	{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe
File created	C:\Windows\{F57B0368-1A5E-4f57-A76B-898D96DE887F}.exe	{77E12C69-2F11-4624-86D4-DF53F0925A17}.exe
File created	C:\Windows\{4B8BA0FC-C6A4-469e-A64D-4BA8D32F76F5}.exe	{C8F22388-8054-4c2f-96E3-286474D34A97}.exe
File created	C:\Windows\{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe	{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe
File created	C:\Windows\{C399AC1B-F904-4980-AF0C-45EF2DD46F7F}.exe	{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe
File created	C:\Windows\{77E12C69-2F11-4624-86D4-DF53F0925A17}.exe	{C399AC1B-F904-4980-AF0C-45EF2DD46F7F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2104	2024-02-19_53c449c5307d19634656a1f4b52cbdd7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2056	{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe
Token: SeIncBasePriorityPrivilege	2724	{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe
Token: SeIncBasePriorityPrivilege	2600	{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe
Token: SeIncBasePriorityPrivilege	1376	{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe
Token: SeIncBasePriorityPrivilege	2956	{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe
Token: SeIncBasePriorityPrivilege	2232	{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe
Token: SeIncBasePriorityPrivilege	2624	{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe
Token: SeIncBasePriorityPrivilege	684	{C399AC1B-F904-4980-AF0C-45EF2DD46F7F}.exe
Token: SeIncBasePriorityPrivilege	2028	{77E12C69-2F11-4624-86D4-DF53F0925A17}.exe
Token: SeIncBasePriorityPrivilege	2168	{F57B0368-1A5E-4f57-A76B-898D96DE887F}.exe
Token: SeIncBasePriorityPrivilege	1060	{C8F22388-8054-4c2f-96E3-286474D34A97}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2056	2104	2024-02-19_53c449c5307d19634656a1f4b52cbdd7_goldeneye.exe	28
PID 2104 wrote to memory of 2056	2104	2024-02-19_53c449c5307d19634656a1f4b52cbdd7_goldeneye.exe	28
PID 2104 wrote to memory of 2056	2104	2024-02-19_53c449c5307d19634656a1f4b52cbdd7_goldeneye.exe	28
PID 2104 wrote to memory of 2056	2104	2024-02-19_53c449c5307d19634656a1f4b52cbdd7_goldeneye.exe	28
PID 2104 wrote to memory of 2368	2104	2024-02-19_53c449c5307d19634656a1f4b52cbdd7_goldeneye.exe	29
PID 2104 wrote to memory of 2368	2104	2024-02-19_53c449c5307d19634656a1f4b52cbdd7_goldeneye.exe	29
PID 2104 wrote to memory of 2368	2104	2024-02-19_53c449c5307d19634656a1f4b52cbdd7_goldeneye.exe	29
PID 2104 wrote to memory of 2368	2104	2024-02-19_53c449c5307d19634656a1f4b52cbdd7_goldeneye.exe	29
PID 2056 wrote to memory of 2724	2056	{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe	30
PID 2056 wrote to memory of 2724	2056	{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe	30
PID 2056 wrote to memory of 2724	2056	{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe	30
PID 2056 wrote to memory of 2724	2056	{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe	30
PID 2056 wrote to memory of 2828	2056	{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe	31
PID 2056 wrote to memory of 2828	2056	{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe	31
PID 2056 wrote to memory of 2828	2056	{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe	31
PID 2056 wrote to memory of 2828	2056	{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe	31
PID 2724 wrote to memory of 2600	2724	{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe	33
PID 2724 wrote to memory of 2600	2724	{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe	33
PID 2724 wrote to memory of 2600	2724	{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe	33
PID 2724 wrote to memory of 2600	2724	{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe	33
PID 2724 wrote to memory of 2500	2724	{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe	32
PID 2724 wrote to memory of 2500	2724	{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe	32
PID 2724 wrote to memory of 2500	2724	{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe	32
PID 2724 wrote to memory of 2500	2724	{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe	32
PID 2600 wrote to memory of 1376	2600	{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe	36
PID 2600 wrote to memory of 1376	2600	{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe	36
PID 2600 wrote to memory of 1376	2600	{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe	36
PID 2600 wrote to memory of 1376	2600	{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe	36
PID 2600 wrote to memory of 1796	2600	{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe	37
PID 2600 wrote to memory of 1796	2600	{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe	37
PID 2600 wrote to memory of 1796	2600	{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe	37
PID 2600 wrote to memory of 1796	2600	{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe	37
PID 1376 wrote to memory of 2956	1376	{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe	38
PID 1376 wrote to memory of 2956	1376	{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe	38
PID 1376 wrote to memory of 2956	1376	{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe	38
PID 1376 wrote to memory of 2956	1376	{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe	38
PID 1376 wrote to memory of 2972	1376	{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe	39
PID 1376 wrote to memory of 2972	1376	{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe	39
PID 1376 wrote to memory of 2972	1376	{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe	39
PID 1376 wrote to memory of 2972	1376	{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe	39
PID 2956 wrote to memory of 2232	2956	{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe	41
PID 2956 wrote to memory of 2232	2956	{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe	41
PID 2956 wrote to memory of 2232	2956	{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe	41
PID 2956 wrote to memory of 2232	2956	{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe	41
PID 2956 wrote to memory of 1600	2956	{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe	40
PID 2956 wrote to memory of 1600	2956	{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe	40
PID 2956 wrote to memory of 1600	2956	{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe	40
PID 2956 wrote to memory of 1600	2956	{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe	40
PID 2232 wrote to memory of 2624	2232	{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe	42
PID 2232 wrote to memory of 2624	2232	{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe	42
PID 2232 wrote to memory of 2624	2232	{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe	42
PID 2232 wrote to memory of 2624	2232	{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe	42
PID 2232 wrote to memory of 1052	2232	{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe	43
PID 2232 wrote to memory of 1052	2232	{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe	43
PID 2232 wrote to memory of 1052	2232	{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe	43
PID 2232 wrote to memory of 1052	2232	{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe	43
PID 2624 wrote to memory of 684	2624	{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe	45
PID 2624 wrote to memory of 684	2624	{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe	45
PID 2624 wrote to memory of 684	2624	{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe	45
PID 2624 wrote to memory of 684	2624	{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe	45
PID 2624 wrote to memory of 1424	2624	{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe	44
PID 2624 wrote to memory of 1424	2624	{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe	44
PID 2624 wrote to memory of 1424	2624	{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe	44
PID 2624 wrote to memory of 1424	2624	{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-19_53c449c5307d19634656a1f4b52cbdd7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_53c449c5307d19634656a1f4b52cbdd7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe
  C:\Windows\{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe
    C:\Windows\{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{08A4B~1.EXE > nul
      4⤵
      PID:2500
  - - C:\Windows\{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe
      C:\Windows\{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe
        
        C:\Windows\{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1376
      - C:\Windows\{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe
        
        C:\Windows\{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3102~1.EXE > nul
        7⤵
        
        PID:1600
        
        C:\Windows\{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe
        
        C:\Windows\{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe
        
        C:\Windows\{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A7E7~1.EXE > nul
        9⤵
        
        PID:1424
        
        C:\Windows\{C399AC1B-F904-4980-AF0C-45EF2DD46F7F}.exe
        
        C:\Windows\{C399AC1B-F904-4980-AF0C-45EF2DD46F7F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Windows\{77E12C69-2F11-4624-86D4-DF53F0925A17}.exe
        
        C:\Windows\{77E12C69-2F11-4624-86D4-DF53F0925A17}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77E12~1.EXE > nul
        11⤵
        
        PID:3028
        
        C:\Windows\{F57B0368-1A5E-4f57-A76B-898D96DE887F}.exe
        
        C:\Windows\{F57B0368-1A5E-4f57-A76B-898D96DE887F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F57B0~1.EXE > nul
        12⤵
        
        PID:1428
        
        C:\Windows\{C8F22388-8054-4c2f-96E3-286474D34A97}.exe
        
        C:\Windows\{C8F22388-8054-4c2f-96E3-286474D34A97}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\{4B8BA0FC-C6A4-469e-A64D-4BA8D32F76F5}.exe
        
        C:\Windows\{4B8BA0FC-C6A4-469e-A64D-4BA8D32F76F5}.exe
        13⤵
        Executes dropped EXE
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8F22~1.EXE > nul
        13⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C399A~1.EXE > nul
        10⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40E3F~1.EXE > nul
        8⤵
        
        PID:1052
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8776F~1.EXE > nul
        6⤵
        
        PID:2972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6680A~1.EXE > nul
        5⤵
        
        PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F9CC0~1.EXE > nul
    3⤵
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08A4B288-577C-4d1a-A17B-6AE0B0020F36}.exe

Filesize
408KB

MD5
16a744f2ed7efeee4a3ac0b0712178b4

SHA1
bd4840140d1134c7be442d2b9240e71ba9cee999

SHA256
0f304f2398d5d621f8db9d360f4b111d2dd437f087b26c2007a9d34a111710ea

SHA512
041e65f6f640806facccf979f41adb8984eaa28ce500a7b36a60c22acdd18be8aa54af8b2c917a748cbb04538fcbdd92587ce39b6217cd281cda8cd8f0aed7cb

Download Submit
C:\Windows\{40E3F50F-AA1E-4cd7-9657-A782BE2C2D53}.exe

Filesize
408KB

MD5
50e0fb915a8ebdfe6dd56c286d2a621a

SHA1
6ee3e64135c1dc9f9e0eb67a5fc0ef49c7867ff9

SHA256
d42e88d0789486cb61469eabf71d023e56ed6b54f5a7a0f6a2a01c522ec0dbde

SHA512
ef33c32e7910b9cb4b28a4d007640dad7dab763690916a1eeaac0962c7faf3ddbb85262efc5f72d77929fae9845f4014cd0319292747de634f4c18acb68d417c

Download Submit
C:\Windows\{4B8BA0FC-C6A4-469e-A64D-4BA8D32F76F5}.exe

Filesize
408KB

MD5
d8808d9edbe3a06d31465f760bdbea0b

SHA1
0a9c4cf4d0aeae685aa4b0dbaff6063840ec28da

SHA256
d88eb7c8cd3da87a5c7de1b2d879f3fd236ea4fe8c16e79fe43161adb8e4d345

SHA512
6048438c180a7131579c77c4b8f255c52fedae88548332d043b3176b2b6a78830ca9371264f9993df7559b4253a0ec6a402186c822c92f1a2801d09236537f4e

Download Submit
C:\Windows\{6680AAE2-ED10-43c6-B322-49916FC8EFE9}.exe

Filesize
408KB

MD5
132257e79cce74b5bf4ec6d3c195d1f1

SHA1
a253e74a26e52d72c4669a7537635adc731c9460

SHA256
6789ec4580d7fd2955aefe22b180ad5b555f73902f25c87b3ce4cd32c5ec42a8

SHA512
c3aa51c4ff848eb3f8df372f338b2a1fed666edb5d7f194cea7589653599db10c701ffaa2d4e6ac41aff32499f9ea4a6f9e92eb438bb60e6b3cefd677eee6218

Download Submit
C:\Windows\{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe

Filesize
408KB

MD5
b60c80ba2f540b1093a2eb32db5fd827

SHA1
9db913cebcdfffe000be891e3a7e6f6cec41eb5f

SHA256
e3c81756522758ac226b5a8ddbefcbe4fe8bdb0c46cd821f8d78c4230f6d8cb6

SHA512
f329e2ce7bce3346a3782df954fa63bac5093e70d84bc26ac592a252d7956c151c63f37e20d8a805fe35cbacb9e6d1e0d547f9f042666060473a6ea127e6a902

Download Submit
C:\Windows\{6A7E7DB5-8C91-4958-B003-CBED8B3FD5A6}.exe

Filesize
361KB

MD5
c3beb2b0203057a0daa14d109ea6f731

SHA1
240de1de49da790685cae5872946feb2db3396f2

SHA256
145ab3e5fe1566142d43e2937b698da77f12a7d197d4b20667f0c269bcb5eb06

SHA512
bd3c4f2345cf1f47748f4bd0caceebc6831b304cd23cbc33ab3ca249a50de5b693b1cb28cd4a71b7465705f101e7b83210693f28fbd99b0afa242f804ea62866

Download Submit
C:\Windows\{77E12C69-2F11-4624-86D4-DF53F0925A17}.exe

Filesize
408KB

MD5
d572cae88dfc59ea5fef49614fab6f11

SHA1
e15827dcb2e86f5af4e439db0ceabdfb050df27e

SHA256
3c02695569b70a7e1a19c00e067b10de03b62cad73292ece19736f6776253663

SHA512
5f69fe05b9b8730369773e63352e12ebf3b2c2da7ab1b849eada19062970a36f62d147d91b6142f5c7faf29c8e4bfb7d3ba8aa3c558d00164270daeee5b1e420

Download Submit
C:\Windows\{8776F18C-EBF8-493d-9FE7-FF89B993B340}.exe

Filesize
408KB

MD5
b0ed083c13e69818e54089eb7e3ec7d3

SHA1
493d5a2dd4b27ca945439cb59306eeaa3d276046

SHA256
f5a2eca0b632e63afa7d9b63ee9a75c36a8ea0c1587f8cb4f411db9a8ff5d220

SHA512
a20c0ccd22d6b63b144e461fb6ce70bd5b841d00d18acf860640aa9da22c3a509c7e1c179e41698ea4e11ee1931729b15bf7c56332bf0b15d645401042e787c0

Download Submit
C:\Windows\{C399AC1B-F904-4980-AF0C-45EF2DD46F7F}.exe

Filesize
408KB

MD5
2abc199d4650642c57b5126db6bd0163

SHA1
40b89dcab977c08e7729ca4ef3113b23a40eeb65

SHA256
6c7cce563d9af26fb95d0438b50cfdf5ccf81d8baecc7f3f584cca9fa85f4bd6

SHA512
a0f3d6bf6bb42c1193349e804f12bbc594025fcfadb03e404c0e96a5ef9ff65c4ae79ef35d3a899f663868060dea5e4fd316c07ca3028e7e46c887ef2526f88d

Download Submit
C:\Windows\{C8F22388-8054-4c2f-96E3-286474D34A97}.exe

Filesize
408KB

MD5
fa0fc28031e29873a5023d6b7b2164af

SHA1
ca77c2083b6b4359d97a6ac400687e8305abfe62

SHA256
3889c389c227eb9b66a5764810823d1252bc343ca021412db691ef4303f6887e

SHA512
ecbb7bb66a45ac855fe960befbabd2a9cc4fde9e95d9aacce181d9ecab76cf59009e5cbc3c8083c617fce191572fbb93aae1e10e70f6a9296bf771db488b94fb

Download Submit
C:\Windows\{F3102ABC-085A-4158-B9C3-CDA929DDF3DF}.exe

Filesize
408KB

MD5
95ded9db6a1bbdb04d00052ccd44f572

SHA1
e2174b14c600d0d62739d041c243f6f5b5051602

SHA256
c903a919f3d7db338c866670ed6d566df4dab3b17a937c198910d8fc0ea40edc

SHA512
fbfb71e39c0f7aff89ffe9f896ca3ad70a05bbc104e91aa53888b201b206e678e7962ac2bf84d24990652ccdeff39f41e36693aeef94d2177342c49bad2ab9a4

Download Submit
C:\Windows\{F57B0368-1A5E-4f57-A76B-898D96DE887F}.exe

Filesize
408KB

MD5
4ca301c8a8ec387beddfbf39f297931d

SHA1
aceebc2218ec4225b8048d48ed4022fb15300af6

SHA256
991c7722c86f4ae84ab278f2e2773a0f52e3cc41a86a61f0ac4b13e33fb1d020

SHA512
a178737ca4b6613267da82a857f83ab222159b73890ef74335cae1f5ec6e4514175a7c9e8085799a6d653020ad155d453e03216b41682df41868eac3b267b474

Download Submit
C:\Windows\{F9CC04F8-204E-4f74-A4B3-320149CB0658}.exe

Filesize
408KB

MD5
c74304cb29c09dcc7c00b423ad4beadf

SHA1
50c7dd4c62feb73323c986b65141fc5a773f3e50

SHA256
6e90f7baf3ad3be568ed54597064187aad4a5d57207836d9b25051e93b699733

SHA512
ff63ec96570e33b456eeaf7aa26a8c1871cc89a4e513e5f0146a1ab7d81937d80beacecbdc2824a11241085d0f1fb902da58d76ff02e9ada0520c8362a78cce4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads